Staff IT skills gap hinders security efforts, CompTIA reports

AlexNguyen

Staff IT skills gap hinders security efforts, CompTIA reports

erpadmin

Another top priority among two-thirds of businesses is mobility, which is more nascent than security. There is now more demand for flexibility among end users, who don’t want to be limited to using a BlackBerry or other standardized devices.
“Because it has happened so quickly, many organizations and their IT staff are still catching up to understand the technology and make sure they strike the right balance between protecting the technology and giving flexibility for devices to be used,” Herbert said.
Because bring-your-own-device BYOD is such a new model, businesses are having trouble keeping up with emerging security concerns on the mobile platform as well, according to Hebert.
“From the security standpoint, there are increasing concerns about mobile malware and data loss. There are not that many companies yet that have full-blown mobile device management (MDM) applications and processes in place,” Herbert said, citing tools like remote wiping as one way to protect corporate info on any device.

If you're in a organizational culture where your users dictate IT security policy, good luck with that.

I don't think there's a IT skills gap where security is concerned....I think part of it is IT laziness when it comes to governance (seriously, how many shops out there have users with local admin rights on their boxes?)

The phone deal is going to be quite a different story. I would personally be in favor of having folks go to a IT person (be it a help desk person or an exchange admin) and having that person inspect the personal smartphone before allowing it to access the network for email/VPN. Then have users sign something that states if the phone is lost, the organization can wipe the phone without any hesitation. Truth is, I don't see that happening, in part because of laziness. I know a good number of good shops will does this....but not many.

LinuxRacr

erpadmin wrote: »

If you're in a organizational culture where your users dictate IT security policy, good luck with that.

I don't think there's a IT skills gap where security is concerned....I think part of it is IT laziness when it comes to governance (seriously, how many shops out there have users with local admin rights on their boxes?)

More than you think. Don't ask me how I know....

erpadmin wrote: »

The phone deal is going to be quite a different story. I would personally be in favor of having folks go to a IT person (be it a help desk person or an exchange admin) and having that person inspect the personal smartphone before allowing it to access the network for email/VPN. Then have users sign something that states if the phone is lost, the organization can wipe the phone without any hesitation. Truth is, I don't see that happening, in part because of laziness. I know a good number of good shops will does this....but not many.

A company I have worked for has a LOT of mobile devices that are company-owned, and thus has access to a lot of internal info, such as e-mail, and the like. The way I see it, a lot of security gaps have to do with resource constraints (in that people are having to prioritize work due to manpower shortage), and allocation of budget. In order to manage said devices, on such a large scale, there has to be a centralized way configuring the devices before delivery, and management of said devices after delivery, which includes security policy. The users have to ruber-stamp a security/coperate policy of use, and agree to certain security settings before using the device (such as always being password-locked automatically when not in use, and erasure of data after a certain number of failed password attempts).

TheCudder

erpadmin wrote: »

I don't think there's a IT skills gap where security is concerned....I think part of it is IT laziness when it comes to governance (seriously, how many shops out there have users with local admin rights on their boxes?)

I provide desktop support for a large & very well known fortune 500 company that gives its users local administrative right to their systems.

joehalford01

Part of the issue is definitely corporate culture. "Yes, security is our number one top priority!"...one week later..."...we need to keep productivity in mind, your settings are making it hard to get work done, we need to make some exceptions..."

Another serious pain is custom programs written by Vendors that require the user to be a local admin. Really? God forbid we find a good vendor that knows how to write a program....

buzzkill

TheCudder wrote: »

I provide desktop support for a large & very well known fortune 500 company that gives its users local administrative right to their systems.

And good for them I say. I'd imagine that the number of help desk hours that saves by not having to assist users install legit apps outweighs the time spent spent fixing problems caused by them running as admin users.

higherho

buzzkill wrote: »

And good for them I say. I'd imagine that the number of help desk hours that saves by not having to assist users install legit apps outweighs the time spent spent fixing problems caused by them running as admin users.

There's ways around this. For example; ePO (MCafee product) can prevent unauthorized installed and only approved software can be installed on your machine. Of course you would need someone to create these polices and maintain the ePO. Either way I think giving local admin rights is just bad in general.

erpadmin

higherho wrote: »

There's ways around this. For example; ePO (MCafee product) can prevent unauthorized installed and only approved software can be installed on your machine. Of course you would need someone to create these polices and maintain the ePO. Either way I think giving local admin rights is just bad in general.

Heck, even a properly configured Windows Domain with GPOs can do that, sans McAfee's EPO (which my shop uses just to push out the antivirus throughout the domain).....but that just goes back to my point about governance.....and laziness. Helpdesks in many organizations don't want to deal with IT security, so they let the users do whatever they want...whether these are at Fortune 500 shops or public sector shops. Whereas I've seen shops from both sectors that are very strict on IT security.

It is all about succumbing to culture, vs. doing the right thing by IT security. There has to be a balance.

I'll say this though, even Darril Gibson wrote that IT Security is useless if it impedes business. At the same time, if you have a broken lock, you don't fix that by removing the door.

techdudehere

When I worked at a large corporate helpdesk techs could only use software from the central repository plus a few screened tools from a shared drive, nothing else even if it was a well known application or MS update could be applied. This was to prevent accidental license misuse, malware, or software conflicts. You could request access to a tool, but the process was not quick. They'd rather reimage than use unapproved tools which makes sense when dealing with thousands of PCs. With medium sized business, it's nice to have the ability to download malware removal tools and such, having access to the newest versions can be helpful. Of course, it's hard to beat the certainty of a rebuild. All hard disks used full volume encryption. In the smaller companies, I have found the policies vary, but generally they tend to worry about what's easy first and security second. I've often had to go into some detail about why this is the wrong set of priorities to get policies implemented but I consider it part of my job.

In my opinion, it's silly to take away admin rights and not implement patch management. Most of the data is accessible via the user's permissions yet the person cannot update software to close security flaws! I do agree with taking away admin rights, but I disagree that simply doing that is enough. With windows based systems, the 3rd party apps will not be updated unless a plan is put into place for this.

I'm not sure where I am going with all this lol I actually just meant to say I agree a lot of techs get lazy with basic security even if they know better. Non-complex passwords, not locking down firewall rules, wide open terminal servers, violating licenses (ie loading single user license on terminal server or 15 workstations) etc. I see these things happening all the time. The good news is with such poor security practices being the norm, it is easy to come off as being a security pro even when you're not!

higherho

erpadmin wrote: »

Heck, even a properly configured Windows Domain with GPOs can do that, sans McAfee's EPO (which my shop uses just to push out the antivirus throughout the domain)

True, the only reason why ePO does it because of security / control reasons (heck the ePO is in its own workgroup, not in Active Directory, and on its own VLAN) . Yea I have to push out ACCM (this provides me all installed information in all my domains), Policy auditor, Site advisor (really nice!), DLP (I can basically prevent external HDD's to be prevented to be installed on the machine unless its pre approved), Anti virus, spyware, local firewall, HIPS, etc. Much more on certain servers too (rouge detection) .

.....but that just goes back to my point about governance.....and laziness. Helpdesks in many organizations don't want to deal with IT security, so they let the users do whatever they want...whether these are at Fortune 500 shops or public sector shops. Whereas I've seen shops from both sectors that are very strict on IT security.

Pretty much, I bet Sony's online network has a whole security division now after they got slammed by the government and consumers about that big PSN attack a few months back. I honestly think most IT personal do not take security into consideration unless you specialize in it or work in an area that has governance like you said. Heck each week I have a system that needs updated and has all my assets in for vulnerability maintenance .

I'll say this though, even Darril Gibson wrote that IT Security is useless if it impedes business. At the same time, if you have a broken lock, you don't fix that by removing the door.

Thats true. I think you should lock down the box as much as you can but your application should also be secured / locked down (Most databases I see use SQL authentication versus Windows authentication which is a big mistake in certain circumstances).

erpadmin

higherho wrote: »

I think you should lock down the box as much as you can but your application should also be secured / locked down (Most databases I see use SQL authentication versus Windows authentication which is a big mistake in certain circumstances).

Ummm...I don't see why Windows authentication would be less secure than SQL authentication. The only difference between the two is that Windows authentication allows you access to the database with your domain credentials. However, even then, the DB security still gets applied based on who holds those credentials.

For example, I have my ERP developers have access to our production databases only so that they can perform queries against it. They only have read only access and they use their Windows authentication login. The developer databases, they have read and write access (otherwise, they can't do their jobs.) But where production is concerned, I wouldn't be doing my job if they had read and write access to production. They don't have admin rights to the server either (in fact, it's obviously not required.)

The only time I deal with SQL authentication (aside from the sa account) is if I have to create an application user that an application will need to have rights to the database. Other than that, Windows Authentication is pretty much all right.

higherho

erpadmin wrote: »

Ummm...I don't see why Windows authentication would be less secure than SQL authentication. The only difference between the two is that Windows authentication allows you access to the database with your domain credentials. However, even then, the DB security still gets applied based on who holds those credentials.

I'm not a DBA, but I recently had to process some vulnerabilities and one of them was to use Windows Authentication for all your Databases not mixed / SQL only. Some of the legacy DB's cannot which had to be left open. I will need to look into the complete detail of the finding. However, I do remember that SQL authentication does not use Kerberos authentication protocol. Also, SQL authentication allows you to let users login from untrusted or unknown domains.

For example, I have my ERP developers have access to our production databases only so that they can perform queries against it. They only have read only access and they use their Windows authentication login. The developer databases, they have read and write access (otherwise, they can't do their jobs.) But where production is concerned, I wouldn't be doing my job if they had read and write access to production. They don't have admin rights to the server either (in fact, it's obviously not required.)

I do this at work, we run a batch script SQL management studio (the batch script elevates itto point it to another domain) with their Windows User account (from that domain) to allow them to read the database. But this can work with Windows Authentication mode and does not require SQL authentication mode as long as that Windows group is in a SQL role that only allows them read access to the DB.

The only time I deal with SQL authentication (aside from the sa account) is if I have to create an application user that an application will need to have rights to the database. Other than that, Windows Authentication is pretty much all right.

This is a little different if you have a SQL server running an application on a local machine in its own work group (meaning you can use local user accounts instead of SQL authentication mode for application users). But yea I see your point and seen instances were you need SQL authentication in that sense.

erpadmin

That makes sense if you're using multiple domains. Sounds like your SQL Servers are in one domain, and your users are in another. When my SQL Servers were on 2000, we had mixed authentication as well. When we went to 2005/2008 (2005 was brief....but it had to be done because 2008 R2 was not yet certified. However the upgrade from 2K5 to 2K8 R2 was relatively painless.) we went the windows authentication model for both security and simplicity (doing a DB refresh meant recreating user logins...not cool.) Once a refresh was done, I'd give the developers their write access and call it a day.

But yeah, there are gonna be instances where you need to use SQL authentication only (you're never going to get rid of the sa account...but that account should be locked down!) Any account you create should have a strong password to begin with. (You'd think that would go without saying.....)

Database Administration should be something you might want to look into. Compared to Cisco/Microsoft admins, they are not a dime a dozen. Plus, with an optional programming language under your belt (just enough to know what's going on...), you might find that you'll like both the work and pay.

higherho

erpadmin wrote: »

That makes sense if you're using multiple domains. Sounds like your SQL Servers are in one domain, and your users are in another. When my SQL Servers were on 2000, we had mixed authentication as well. When we went to 2005/2008 (2005 was brief....but it had to be done because 2008 R2 was not yet certified. However the upgrade from 2K5 to 2K8 R2 was relatively painless.) we went the windows authentication model for both security and simplicity (doing a DB refresh meant recreating user logins...not cool.) Once a refresh was done, I'd give the developers their write access and call it a day.

Yea we have four forests which replicate the production environments (well one of them is a test environment). 2008R2 is awesome , wanted to go SQL 2010 for the tech refresh though.

Database Administration should be something you might want to look into. Compared to Cisco/Microsoft admins, they are not a dime a dozen. Plus, with an optional programming language under your belt (just enough to know what's going on...), you might find that you'll like both the work and pay.

In my current position I had to learn basic SQL, its helpful and fun. My brother in law who does DB work and Java development, trys to get me into the SQL realm lol or some soft of programming field. SQL has helped me in my administration process and scripting languages of course too.

ptilsen

buzzkill wrote: »

And good for them I say. I'd imagine that the number of help desk hours that saves by not having to assist users install legit apps outweighs the time spent spent fixing problems caused by them running as admin users.

I'd disagree with that conjecture, and not based on imagination. Of my ~30 clients, the handful that insist on local admin rights require significantly more IT time to manage, per workstation, than the rest. One of our largest clients has all end-users get admin rights. That client uses five times the amount of IT hours as a similar-size client that has a highly restricted, homogenized environment.

doobies

TheCudder wrote: »

I provide desktop support for a large & very well known fortune 500 company that gives its users local administrative right to their systems.

Then you should be able to move in to security/Incident handling in no time....

Roguetadhg

Politics play a larger role. If someone has enough pull, they can circumvent any policy for their own wish.

Hypntick

techdudehere wrote: »

not locking down firewall rules, wide open terminal servers

This is my personal bane here. As our firewalls require VPN licenses I continue to run into issues where rather than charge the client the fee, they just have a hole in the firewall to allow direct RDP. The moment I see that, I shut the port and wait for the inevitable phone call. To save a few bucks you're going to open your entire organization to potential havoc? Luckily my management is on my side with these cases and more than one engineer has had a "not so polite" talking to about leaving holes.